<# .Synopsis This script will enumerate either all mailbox permissions or all AD permissions found for the user provided when running the cmdlet. .DESCRIPTION This script will enumerate either all mailbox permissions or all AD permissions found for the user provided when running the cmdlet. Depending on the size of your environment, processing might take a while. Especially when running with the -query AD parameter. The script should be used as follows: Get-UserMailboxPermission -User -Path -query .EXAMPLE Get-UserMailboxPermission -User JohnD -Path C:\Reports -Query Mailbox This cmdlet will execute a search for mailboxpermissions for user "JohnD" on all mailboxes. Afterwards, the report will be stored under C:\Reports .EXAMPLE Get-UserMailboxPermission -User JohnD -Path C:\Reports -Query AD This cmdlet will execute a search for Active Directory permissions for user "JohnD" on all mailboxes. Afterwards, the report will be stored under C:\Reports #> function Get-UserMailboxPermission { [CmdletBinding()] [OutputType([int])] Param ( # param1 help description [Parameter(Mandatory=$true, ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, ValueFromRemainingArguments=$false, Position=0, HelpMessage='The user for whom you want to find out where he/she has been granted access to', ParameterSetName='Parameter Set 1')] [ValidateNotNullOrEmpty()] [string] $user, # parameter 2: path where the report should be stored [Parameter(Mandatory=$true, ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, ValueFromRemainingArguments=$false, Position=1, HelpMessage='The path where the report file should be written to', ParameterSetName='Parameter Set 1')] [ValidateNotNullOrEmpty()] [string] $path, # parameter 3: choose either mailboxpermissions or AD-permissions [Parameter(Mandatory=$true, ValueFromPipeline=$false, ValueFromPipelineByPropertyName=$false, ValueFromRemainingArguments=$false, Position=2, HelpMessage='choose either "Mailbox" for mailboxpermissions or "AD" for AD-permissions', ParameterSetName='Parameter Set 1')] [ValidateNotNullOrEmpty()] [string] $query ) Begin { Get-Module -ListAvailable | foreach{ if($_.Name -eq "ActiveDirectory"){$module = "true"} } if($module -eq "true"){ Import-Module ActiveDirectory } else{ // end script and notify Write-Output "This script requires AD DS Remote Server Administration Tools to be installed" Exit } } Process { function _GetPermissions{ $Output="" $Output+="" $Output+="" $Output+="Mailbox Permission Enumeration Script
" $Output+="" $Output+="Executed on:"+(Get-Date)+"

" $Output+="The following permissions have been found for "+$user+":

" $Output+="" $Output+="" $Output+="" $Output+="" if($query -eq "ad"){$Output+=""} if($query -eq "mailbox"){$Output+=""} $Output+="" $Output+="" $Output+="" if($query -eq "mailbox"){ Write-Host "Caution: it might take a long time to process this script!" -ForegroundColor Red Write-Host "Fetching Mailbox Permissions" -ForegroundColor Yellow $permissions = Get-Mailbox | Get-MailboxPermission | Select-Object SecurityIdentifier,Identity,User,AccessRights,Deny,isInherited } if($query -eq "ad"){ Write-Host "Caution: it might take a long time to process this script!" -ForegroundColor Red Write-Host "Fetching AD Permissions..." -ForegroundColor Yellow $permissions = Get-Mailbox | Get-ADPermission | Select-Object Identity,User,AccessRights,ExtendedRights,Deny,isInherited } #Determine the SID of the user we want to search permissions for $userobject = Get-AdUser -Identity $user $sid = $userobject.sid.value foreach ($perm in $permissions){ $i++ Write-Progress -activity "Verifying permissions" -status "Progress: " -PercentComplete (($i / $permissions.count) * 100) #determine the SID of the object that has a security reference $mbxsid = $perm.user.securityidentifier.value if($mbxsid -eq $sid){ if($perm.Deny -eq $True){ if($perm.isInherited -eq $True){ $bgcolor="orange" } else{ $bgcolor="red" } } else{ $bgcolor="#B5E61D" } $Output+="" $Output+="" $Output+="" if($query -eq "mailbox"){$Output+=""} if($query -eq "ad"){$Output+=""} $Output+="" $Output+="" $Output+="" } else{ #if there is not direct match, check whether the SID is a group and enumerate rights if a match within the group is found #check if the SID is a group, if so, check group membership status and enumerate rights if match is found $getobject = Get-ADObject -LDAPFilter "(ObjectSID=$mbxsid)" if($getobject.objectClass -eq "group"){ $bgcolor="#25B900" $groupmembers = Get-AdGroupMember -Identity $getobject foreach($groupmember in $groupmembers){ if($groupmember.sid.value -eq $sid){ $Output+="" $Output+="" $Output+="" if($query -eq "mailbox"){$Output+=""} if($query -eq "ad"){$Output+=""} $Output+="" $Output+="" $Output+="" } } } } } $Output+="
User/GroupMailboxExtendedRightsAccessRightsDenyInherited?
"+$perm.User+""+(get-mailbox -Identity $perm.Identity).alias+""+$($perm.AccessRights)+""+$($perm.ExtendedRights)+""+$perm.Deny+""+$perm.isInherited+"
"+$perm.User+""+(get-mailbox -Identity $perm.Identity).alias+""+$($perm.AccessRights)+""+$($perm.ExtendedRights)+""+$perm.Deny+""+$perm.isInherited+"
" $Output }#end fuction _GetPermissions }#end Process End { #cleanup of objects $Output+= _GetPermissions $Output+="

 

" $Output+="

Legend:

" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="" $Output+="
  Explicitly Assigned Permissions
  Excplicitly Denied Permissions
  Inherited Permissions
  Inherited through group membership
" $Output+="
" $Output+="" $file = $path+"\mailboxpermissionreport_$user.html" $Output | Out-File $file } }